Protected Management Frames support

Protected Management Frames protect some types of management frames like deauthorization, disassociation and action frames. This feature, now mandatory on WiFi certified 802.1ac devices, prevents attackers from sending plain deauthorization/disassociation frames to disrupt or tear down a connection/association. PMF is a Wi-Fi Alliance specification based on IEEE 802.11w.

Use of PMF on an SSID is configurable only in the CLI.

config wireless-controller vap

edit <vap_name>

set pmf {disable | enable | optional}

set pmf-assoc-comeback-timeout <integer>

set pmf-sa-query-retry-timeout <integer>

set okc {disable | enable}



pmf PMF status

disable PMF not used.

enable PMF required.

optional Enable PMF, but allow clients that do not use PMF.

pmf-assoc-comeback-timeout Protected Management Frames (PMF) maximum timeout for comeback (1-20 seconds).

pmf-sa-query-retry-timeout Protected Management Frames (PMF) sa query retry timeout interval (in 100 ms), from 100 to 500. Integer value from 1 to 5.

okc enable or disable Opportunistic Key Caching (OKC).